Poorly written perl code that allows an attacker to specify the count to
perl's 'x' string repeat operator can already cause a memory exhaustion
denial-of-service attack. A flaw in versions of perl before 5.15.5 can
escalate that into a heap buffer overrun; coupled with versions of glibc
before 2.16, it possibly allows the execution of arbitrary code.

The flaw addressed to this commit has been assigned identifier
CVE-2012-5195.

Only the first character of the string was being checked when scanning
for the beginning position of the pattern match.

This was so wrong, it looks like it has to be a regression. I
experimented a little and did not find any. I believe (but am not
certain) that a multi-char fold has to be involved. The the handling of
these was so broken before 5.14 that there very well may not be a
regression.

The root cause of this bug is that it was assuming that a string was in
utf8 when it wasn't, and so was thinking that a byte was a starter byte
that wasn't, so was skipping ahead based on that starter byte.

at the moment, perl is compiled on GNU/Hurd without large file support.
This, other than the lacking of support for files > 2 GB, causes the
failure in the t/op/stat.t test.
The failure in stat.t happens because of the following: when filtering
devices in /dev/* using grep {} with -b/-c, stat fails for large
devices such as /dev/hdX blocks, or /dev/zero chars (this latter case
should be an Hurd-specific issue, but shouldn't matter for this case),
hence the counts done with grep {} and the ones done filtering the
output of `ls' don't match.

The attached patch enables the LFS using the same way used on linux.sh;
about t/op/lfs.t, it gets skipped at the "kernel/fs not configured to
use large files?" check, although it correctly detects sparse files and
(at least by looking at the disk usage) allocates the 5GB (or so) file
created with system() in that test.

according to the POSIX open()[1] about O_RDWR,
The result is undefined if this flag is applied to a FIFO.
.... which is actually our case.
Apparently Linux and *FreeBSD (and maybe also OSes) accept this
behaviour, but on GNU/Hurd this causes the open() call to block
undefinitely. Given there's nothing done with the FIFO if not querying
{,f}pathconf() values, the proposed solution I attached is to change
the opening mode to "O_RDONLY | O_NONBLOCK".

currently, there are few tests failing because of a broken NDBM module;
using the same hints as used on Linux (given that apparently the cause
is the same) makes the following tests pass:
t/op/dbm.t
cpan/autodie/t/dbmopen.t
cpan/Memoize/t/errors.t
cpan/Memoize/t/tie_ndbm.t
ext/NDBM_File/t/ndbm.t
lib/AnyDBM_File.t

Dominic Hargreaves adds: Note that the original git commit log [what
you see above] lists some tests which aren't affected in blead.

40f026236b9959b7 added code to the Linux hints file to use gcc to locate
libraries such as -lm. However, if the user has their own gcc earlier in $PATH
than the system gcc, we don't want its libraries. So try to prefer the system
gcc.

Configure would already find /proc/self/exe on NetBSD, where /proc/self is
a symlink to /proc/curproc. However, the revised probe avoids the extra
symlink traversal. Configure did not previously probe for the
relevant path on Solaris, /proc/self/path/a.out

Rename the description of /proc/curproc/file from BSD to FreeBSD, as it seems
that of the "big 3" BSDs, only FreeBSD uses this path.

Perl does not build on FreeBSD 10.0 because some checks in
hints/freebsd.sh think FreeBSD 10 is FreeBSD 1 and therefore enable
behaviour only appropriate for a.out systems.

The below patch was included in the lang/perl5.12 port and fixes its
build. The resulting binaries are also suitable to compile other ports.
I have also verified that this patch applies to lang/perl5.10 and
lang/perl5.14, making them build.

Avoid attacks on sitecustomize by using NUL delimiters to wrap filenames.

Previously the generated code used regular '' strings, which meant that a
crafted pathname containing ' characters could be used to inject code.
Until the previous commit, this was only a problem if building in or
Configuring to install to such a directory. Which, hopefully, would be
"obviously wrong" to anyone capable of building Perl from source.

However, fixing the bug that prevented sitecustomize being subject to
relocatable include now means that for a relocatable pearl, an end-user
controlled path can now reach the sitecusomize code.

Anyone who knows how the flags work will see immediately what’s wrong,
but for the sake of those who don’t:

The SVf_FAKE flag is set on a copy of a typeglob, meaning that assign-
ing something other than a glob to it will overwrite the glob, instead
of writing to one of its slots.

The SVf_FAKE flag on a read-only (SVf_READONLY-flagged) string means
that it’s not actually read-only, but a copy-on-write string.

SVf_READONLY on a glob means that you can’t even assign *through* it.
See the first Hash::Util example above.

The crashing occurs when the two flags are combined.
sv_force_normal_flags assumes that anything marked fake AND read-only
is a copy-on-write string, so it proceeds to gut it, even if it’s
actually just corrupting a glob.

First, disable all the unsupported flags just to make sure they aren't
triggering something they shouldn't be. Also, zero the pglob struct
before passing to bsd_glob(); it contains function pointers, and it's
safest if they are null rather than containing random stack data.

Commit eff7e72c3 (Detect incomplete caller overrides in Carp) used
this little trick for detecting a @DB::args that an overridden
caller() failed to set:

+ @args = \$i; # A sentinal, which no-one else has the address of

But there is a bug in caller(). The first time caller tries to write
to @DB::args, it calls Perl_init_dbargs first. That function checks
whether @DB::args is AvREAL, in case someone has assigned to it, and
takes appropriate measures. But caller doesn’t bother calling
Perl_init_dbargs more than once. So manually-assigned items in
@DB::args would leak, starting with the *second* call to caller.

Commit eff7e72c3 triggered that bug, resulting in a regression in
Carp, in that it started leaking. eff7e72c3 was backported to 5.12.2
with commit 97705941a4, so in both 5.12 and 5.14 Carp is affected.

This bug (the caller bug, not Carp’s triggering thereof) also affects
any caller overrides that set @DB::args themselves, if there are
alternate calls to the overridden caller and CORE::caller.

This commit fixes that by changing the if (!PL_dbargs) condition
in pp_caller to if (!PL_dbargs || AvREAL(PL_dbargs)). I.e., if
@args is either uninitialised or AvREAL then call Perl_init_dbargs.
Perl_init_dbargs also has a bug in it, that this fixes: The array not
only needs AvREAL turned off, but also AvREIFY turned on, so that
assignments to it that occur after its initialisation turn AvREAL back
on again. (In fact, Larry Wall added a comment suggesting this back
in perl 5.000.)

This is a regression in 5.10 caused by change 23966/08ca2aa38a29,
which added a bit of faulty logic. It was treating U* in the middle of
a pack template as equivalent to U0, if the input string was empty.

Correct the socketsize. Probably due to big-endian versus
little-endian, this has always worked on Intel CPUs. This
is a very very old problem, and it has been the reason I
never used gcc-4 on PA-RISC, because perl would not pass
the test suite in 64bitall.

Noticeable effects of wrong "$socksizetype" are return codes
of 0 (pass) from functions like getpeername (), but invalid
(or none) data in the returned structures or a return length
of 0 or 256. In the latter case, the length is stored in the
second part of the 64bit long and the 32bit first part is 0.
This might be true on Intel-like machines too, but the tests
will pass, as the significant part of the returned length is
in the first 32bits and a pointer to int will still see that
correct. Mind that in that case the 32bits after that might
have been overridden => can of worms.

As Nicholas Clark wrote in
nntp://nntp.perl.org/20110603192458.GZ2604@plum.flirble.org:

> $ valgrind ./perl -Ilib 91880.pl
> ==5542== Memcheck, a memory error detector
...
> I think that the problem is that this code in S_run_user_filter()
>
> ENTER_with_name("call_filter_sub");
> SAVEGENERICSV(GvSV(PL_defgv));
> SAVETMPS;
> EXTEND(SP, 2);
>
>
> is putting an action on the save stack to write to an address within
> the GP of PL_defgv. However, the perl code run about 10 lines later
> frees up the GP of PL_defgv, so the scope stack now has a dangling
> pointer. 12 lines later at scope exit, the scope stack unwinding
> writes to the pointer, and nasal daemons emerge.

This commit precedes the SAVEGENERICSV with a call to save_gp, to make
sure the GP is not freed (and then a call to GvINTRO_off [set by
save_gp], so that subsequent glob assignments are not implicitly
localised).

This basically emulates what happens with ‘local *_ = \$some_scalar’,
but without the extra intermediate RV.

In @INC filters (subs returned by subs in @INC), $_ is localised to a
variable to which the next line of source code is to be assigned. The
function in pp_ctl.c that calls it (S_run_user_filter) has a pointer
to that variable.

Up till now, it was not setting the refcount or localising
$_ properly.

‘undef *_’ inside the sub would destroy the only refcount it
had, leaving a freed sv for toke.c to parse (which would crash,
of course).

In some cases, S_run_user_filter has to created a new variable. In
those cases, it was setting $_ to a mortal variable with the TEMP
flag, but with a refcount of 1, which would result in ‘Attempt to free
unreferenced scalar’ warnings if the $_ were freed by the subroutine.

This commit changes S_run_user_filter to use SAVEGENERICSV, rather
than SAVE_DEFSV, to localise $_, since the former lowers the refcount
on scope exit, while the latter does not. So now I have also made it
increase the refcount after assigning to the now-properly-localised $_
(DEFSV). I also turned off the TEMP flag, to avoid weird side effects
(which were what led me to this bug to begin with).